AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

Transcription

1 AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1

2 AEGIS: A shield carried by Athena and Zeus 2

3 Different Design Approaches: Fast AES-NI SIMD (AEGIS) (MORUS) Lightweight Mode (JAMBU) Dedicated (ACORN) 3

4 No tweak for the second round 4

5 AEGIS: Main features Fast AEGIS-128L is 0.30 clock cycles/byte on Haswell (16KB messages) Fully use the pipeline of AES-NI Nonce be used only once 5

6 AEGIS AEGIS-128L 128-bit key, 1024-bit state AEGIS bit key, 640-bit state AEGIS bit key, 756-bit state Tag: 128-bit 6

7 AEGIS: Properties Properties Parallelizable: locally No security reduction but easy to analyze Not resistant to nonce reuse Performance: size/speed tradeoff 7

8 AEGIS Design Rationale Inspiration Pelican MAC [Daemen-Rijmen 05] 128-bit secret state easy to analyze secure up to birthday bound 2.5 times faster than AES Our design: Save the state after each AES round, then construct stream cipher from MAC K x 1 x 2 K 0 AES (10R) AES (4R) AES (4R) AES (10R) 8 8

9 AEGIS Design Rationale (2) Parallel AES round functions in each step so as to fill the AES instruction pipeline AEGIS-128L can make full use of the 8-stage AES instruction pipeline of Haswell processor 9

10 AEGIS-128 S 0 S 1 S 2 S 3 S 4 K IV x i AES(1R) AES(1R) AES(1R) AES(1R) AES(1R) K IV AEGIS (10R) x 1 AEGIS (1R) larger state: 5 x 128 bits but simpler operation: 1 AES round length x 2 AEGIS (1R) still easy to analyze AEGIS (7R) tag 10

11 AEGIS: Security Claims Requirements for secure implementation each key and nonce pair can be used only once if verification fails, the decrypted message and wrong message authentication tag should not be given as output Forgery attack: success prob. 2 -t with t the tag size Key and state cannot be recovered faster than brute force if forgery attack is not successful 128-bit tags strongly recommended 11

12 AEGIS: Security Authentication a difference in ciphertext passes through at least 4 AES rounds stronger than Pelican MAC (4 AES rounds) since difference being distributed to at least 4 words Encryption AEGIS encryption is a stream cipher with nonlinear state update function differential and linear analysis is precluded 12

13 AEGIS: Security Does authentication affect encryption? AEGIS without MAC is vulnerable to a chosen ciphertext attack To preclude chosen ciphertext attack 1) if tag verification fails, the decrypted plaintext should not be given as output 2) the tag size should be sufficiently large to resist a chosen-ciphertext attack (128-bit tag recommended) 13

14 AEGIS: Security Encryption does not weaken authentication At each step, AEGIS leaks 128-bit keystream, i.e., 128- bit state information The overall differential probability of the forgery attack against AEGIS increases But the differential probability that a difference propagates through 5 AES rounds is not affected reason: at each step, the information leaked on S i,j is of the form: S i, 1 ( Si,2 & Si,3) Si,4 14

15 AEGIS: Security Randomness of keystream Recent results (Minaud, SAC 2014) AEGIS keystream bits for distinguishing AEGIS keystream bits for distinguishing AEGIS-128L So far, no results (expected to be strong) 15

16 Performance Speed on Haswell processor (AEGIS-128L) 0.30 cycles/byte (16KB messages) 0.37 cycles/byte ( 4KB messages) 0.51 cycles/byte ( 1KB messages) 1.11 cycles/byte (256B messages) 3.44 cycles/byte ( 64B messages) 16

17 Performance Hardware Area/Throughput tradeoff FPGA implementation of AEGIS-128 Debjyoti Bhattacharjee, Anupam Chattopadhyay at DIAC 2015 For throughput optimized: 121Gbps, 173 KGE AEGIS-128L can be about twice as fast as AEGIS-128, with larger area (60% more). 17

18 Discussions We restrict the disclosure of plaintext when authentication failed What would happen if the attacker knows the decrypted plaintext when authentication failed? For AGEIS, the state may be recovered, but not the secret key: so there is little compromise of encryption security (since the attacker can access to the decrypted plaintext, the encryption security is not a concern here) If the communication protocol terminates/restarts when authentication fails, then there is no compromise of authentication security 18

19 Conclusions Simple design Fast Software: targeting platforms with AES-NI Also fast in hardware Strong in security 19